Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Addressing Cisco Security Issues
From: "Exibar" <exibar () thelair com>
Date: Mon, 29 Mar 2004 16:33:57 -0500

That is always a great thing to do.  If one company says it's another's
fault, you kindly ask them to hold on a second, get the other company on the
line and let them hash it out.

   I can say that it works every time :-)


----- Original Message ----- 
From: "Jason Dodson" <mindchild () yahoo com>
To: "Geo." <geoincident1 () getinfo org>; <full-disclosure () lists netsys com>;
<bugtraq () securityfocus com>
Sent: Monday, March 29, 2004 2:35 PM
Subject: [Full-disclosure] Re: Addressing Cisco Security Issues

I have had a similar run-around with AT&T Broadband and Sprint a while
back, pertaining to a DoS
attack my organization was experiencing. Not to dive into details, to
resolve the issue, I got
them both on the line in a 3-way conversation, and it was taken care of in
less then 5 minutes.
They didn't seem to eager to shrug off the responsibility to someone else,
when that someone else
was right there on the phone.

Jason Dodson

--- "Geo." <geoincident1 () getinfo org> wrote:
I have to post this because I consider this to be a security issue in
own right.

Recently there were a number of exploits released for cisco equipment,
the affected equipment were the 677 and 678 consumer DSL routers of
there are millions in use.

I have one such router, the DSL circuit is provided by Alltel and I work
the ISP who provides the actual internet access.

So upon reading recent warning notice sent to the security email lists
the exploits being publicly available I went and read
http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much
any router running a version of CBOS prior to 2.4.5 (actually you need
because of later exploits) is vulnerable.

So like a good netizen I contacted cisco TAC via telephone, gave them my
serial number and they informed me that they could not provide the
update because my router is registered to alltel (alltel did provide the
router when I ordered the DSL circuit), please call Alltel to get it. Ok
then I called Alltel, who told me no problem we can email you the update
asked for my email address. Except since Alltel is not the ISP I don't
an alltel email address so then they won't email it to me, please
your ISP. I then informed Alltel that I AM MY ISP to which they replied
still could not provide the patch and that I would have to get it from

So then I call Cisco TAC again, this time I explain the full details of
I've just been thru and the tech decides to ask someone. Comes back and
if I register on the cisco website that he can open a ticket and get
to call me back on it. (I'm presently waiting for that call)

In the mean time I decided to google for it and low and behold I found
on a website (url not posted to protect the life saving individuals who
it on the web). Now of course I've no way to know if this version I just
found is safe or not but HELLO CISCO???

If you are going to issue security alerts that require ISP's and
to patch their hardware devices then you had better damn well make sure
folks can actually GET THE PATCHES. It would require no effort at all to
post a bogus version full of back doors and whatnot on the web and after
seeing the nightmare it is to obtain the patch thru official channels
clear to me that this would be a very popular download.


Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]